Publications Scheme
Publishing for Transparency Procedure
Information resources to publish on the School website to comply with GDPR Transparency requirements
Contents
2. Privacy Statement & Notices.
The following activities are designed to help the School make basic information available on its website that the public and the Regulator would expect to have available under GDPR. There is a requirement to be open and transparent about Data Processing and publishing the following information will be effective evidence that the School is complying.
Policies
The following documents should be published on a page where your main school policies are already published. You are free to add in any branding which shows the documents are owned by the School (such as the School logo etc.):
| Data Protection Policy |
| Statutory Requests for Information Policy |
| Publication Scheme |
Privacy Statement & Notices
This content should be published on a web page that is ‘one-click’ away from the School website Home Page. Most website templates have Home Page links to content such as ‘Privacy Policy’ or ‘About Cookies’.
The following document is a statement covering the School’s commitment to privacy and what information the website captures about users (including Cookies), therefore you only need one link to this. We suggest the link is titled “Privacy Notices”
If your website template does not have an existing link for a ‘Privacy Notices’ or ‘Cookies’, then approach your web designer for one to be added. Failing that, you should have a menu item titled “Privacy” which links to this content
| Overarching Privacy Notice |
| Child Friendly Privacy Notice |
On the page where the Privacy Notices are published, you should provide links to any of the following ‘Privacy Notices’ which are relevant to your school.
Each relevant Privacy Notice should be checked first to ensure the content is accurate and the School is satisfied that it can meet the commitments it is making through the Notices.
You are free to add in any branding which shows the documents are owned by the School (such as the School logo etc).
Each Privacy Notice should have its own URL (web address) to which you can provide links from any forms where you collect personal data.
| Processing for Security purposes (including ID Cards and Visitor Data) A separate section is included for CCTV that can be removed if not required |
| Processing under ‘Consent’ (e.g. Marketing) |
| Processing under ‘Consent’ (use of Photo and Video, and additional school activities) |
| Delivery of the Curriculum and Pastoral Care |
| Processing of Employee Data |
| Processing of Governor Data |
| Processing of school volunteer data |
| Processing of Online Payments |
| Processing of Biometric Data |
| Publishing Pupil Coursework |
| Processing of visitor data |
As your school processes special category personal data it is required to have a Data protection Policy Statement to provide assurance on how it handles such information. This should also be published alongside your privacy notices
Data Protection Policy Statement |
|
You should also publish your Security Measures Document (H2) alongside your privacy notices to make clear the steps the school has taken to protect the personal data in its custody.
Security Measures Document |
|
Rights
The following document can be published to help parents/ guardians understand their rights when making Data Protection related requests of the School.
Although it is not technically a Policy, it is closely related to the content of the Statutory Requests for Information Policy and may make sense to publish alongside this Policy.
The Parents Guide to Subject Access Requests (SAR) clarifies when they are able to make a SAR and how to make a requests, as well as managing expectations regarding timescales and what happens if their child is over 12.
| GDPR Rights Guidance for Parents/ Guardians |
| Parents’ Guide to Subject Access Request |
Emails
It is good practice to add a disclaimer to all emails that leave your organisation, to protect any personal data within the communication. You can ask your IT Provider if they can add this to your global settings, so that it does not have to be added individually. The following is suggested wording:
This email and any attachments may contain legally privileged or confidential information. Any use, copying or disclosure other than by the intended recipient is unauthorised. If you have received this message in error, please notify the sender and confirm that it has been deleted from your system and no copies have been made.